The Government Accountability Office (GAO) recently conducted an audit of the US banking regulators and discovered they really need to hire and train more examiners with technology and cyber security expertise so they can provide more useful recommendations to small and mid-sized banks:
Multiple U.S. regulators, including the Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve, examine banks and other financial institutions that take deposits. Examiners’ findings may include how the institutions can improve their cyber security practices.
Each of the regulators employs dozens of examiners with specialized technology expertise, but typically assigns those examiners to the largest banking institutions, the GAO said.
Examiners with “little to no” information technology expertise generally examine small and mid-sized banks. Their findings may not be as “specific or useful” as those from more experienced counterparts, the GAO said.
The various regulators have been trying to improve their oversight of bank technology, the GAO noted. For example, the FDIC imposed a four-course training requirement for examiners in 2010 to boost their technology know-how. Three-quarters of examiners had completed between one and three courses as of the end of 2014.
Among the GAO’s other concerns: regulators are not collecting and storing technology exam findings in a way that makes it easy to search industry-wide trends.
The regulators, in letters to the GAO, said they are ramping up their systems for categorizing the data.
A regulation team with little or no IT and cyber security experience is essentially pointless. While they can surely read a checking, they have no context for which to properly comprehend what those recommendations mean in practical terms.